Please keep in mind the FP and ASA are two logically separate device even though FP is physical hosted inside an ASA as a software service or hardware module. Upgrading ASA to 5500X model is the prerequisite. After that FP can be installed and you are free to whether or not redirect traffic from ASA to FP.Please check the datasheet on the FP capacity per the model you have.Not sure what you mean by single-sign-on. FP/Firesight relies on username-to-IP mapping provided by the SourceFire User Agent and allows you to use user or usergroup in access-control list so user does not actually need to perform additional authentication.URL filtering by category is supported with URL license.One main difference is FP does not function as web proxy/cache or support WCCP like WSA.

FirePower cannot enforce user to only have single session although it will be able to track all the IPs the user are coming from via Sourcefire User Agent and enforce access-control properly. Any application filtering capability requires FirePower with Control (AVC) license.